A public-facing database containing 184,162,718 unencrypted passwords tied to major services—including Apple, Google, Microsoft, Facebook, Instagram, and bank and government portals—was discovered online. Cybersecurity expert Jeremiah Fowler identified the unsecured repository, attributing the leak likely to infostealer malware collecting browser-saved credentials without encryption or protection.
Information in plaintext makes this one of the gravest cybersecurity failures in recent memory. A sample of 10,000 records included credentials for Facebook, Google, Discord, PayPal, Netflix, Amazon, and over 220 .gov addresses across 29 countries. Fowler reported the discovery to the hosting provider World Host Group, which promptly removed access, but the owner remains unidentified.
Infostealer malware quietly extracts login and personal data from devices, then uploads them to attacker-controlled servers. These “malicious‑as‑a‑service” tools accounted for over 2.1 billion stolen credentials in 2024—more than 60% of all breaches—making them a preferred weapon for cybercriminals. The breach underscores the rising threat and the need for proactive security measures.
Experts issued urgent advice: immediately change compromised passwords, avoid reuse, enable two-factor authentication, and consider switching to encrypted passkeys. Jeremiah Fowler also recommended deleting sensitive content from email and using secure cloud storage instead.
